Re: Amazon Web Services - Can you log the infrastructure?

[Karl Bernard <karl.bernard () GMAIL COM>]

I received a suggestion to take a look at AWS Identity and Access
Management (IAM), and although it looks promising, I looked over IAM and
found these unfortunate answers in the FAQ:

Q: Will AWS Identity and Access Management administrative actions be logged
to an audit trail?No. This is planned for a future release.Q: Will user
actions in AWS services be logged to an audit trail?No. This is planned for
a future release
http://aws.amazon.com/iam/faqs/#Will_Identity_and_Access_Management_administrative_actions_be_logged_to_an_audit_trail

This makes it problematic for us - hopefully someone else has some kind of
workaround or well-worded risk acceptance we can look at. Our customers are
quietly asking to use cloud services now, but I suspect there will be an
all out clamoring before long, so we hope to have some kind of workable
answer soon so we can get ahead of things.

Thanks,

Karl

On Wed, Feb 20, 2013 at 10:33 AM, Karl Bernard <karl.bernard () gmail com>wrote:

> We (IT Security) have been asked to work on a project to do a POC setup of
> an AWS Virtual Private Cloud (VPC) that will in turn be IPsec tunneled back
> to our infrastructure using a Cisco ISA. We're slowly working our way
> through that part, but my biggest question is that when I was looking at
> the AWS management console, I couldn't find any activity logs for who's
> logged into the management console and what changes have been made. Does
> anyone know if this is available, or where I can find it if I've overlooked
> it? Ideally, we would like to see those logs come back to our 'real'
> network via syslog through the VPN tunnel, or via some kind of secure log
> streaming from AWS itself.
>
> Related to this - has anyone setup a HIPAA-compliant VPC with AWS or with
> any other cloud infrastructure vendors?
>
> Thanks for your input,
>
> Karl Bernard
> Senior Information Security Analyst
> UTHealth, Academic Health Center at Houston